Web3 Security Research

exploits

The $3.2M SquidRouterModule Exploit: How a Public String Drained 86 Safe Wallets

A third-party module named SquidRouterModule drained $3.2M from 86 Gnosis Safe wallets on Ethereum and Base. Full attack chain, the auth flaw, and the lesson.

Aron Turner·May 26, 2026

3m

exploits

GitHub's 3,800-Repo Breach: How a Poisoned VS Code Extension Burned the World's Biggest Code Host

One poisoned VS Code extension on one GitHub employee's laptop cost the company ~3,800 internal repositories. Here is the attack chain, the Mini Shai-Hulud worm internals, and the rotate-everything checklist that follows.

Aron Turner·May 21, 2026

4m

research

Reserve Manipulation Isn't Dead

Seven BSC pools drained $3M in 2026 H1 — same reserve-manipulation primitive every time. Here's what auditors keep missing.

Alex Rybalko·May 20, 2026

2m

research

Audit the Release Pipeline Like a Smart Contract

Your contracts are audited. Your release pipeline isn't. Mini Shai-Hulud proved npm provenance signs whatever a compromised workflow ships. Here's the checklist Web3 teams should run on their own pipeline.

Dmitry Serdyuk·May 19, 2026

3m

research

Copy Fail: When a Linux Bug Becomes Protocol Risk

Copy Fail is a Linux kernel privilege escalation, not a smart contract bug. For Web3 teams running validators, CI runners, deployer hosts, and signing infrastructure, that's exactly why it matters.

Dmitry Serdyuk·May 5, 2026

3m

exploits

Kelp DAO's $292M Hack and Aave's $6B Fallout: One Config Parameter Broke DeFi

A 1-of-1 LayerZero DVN let attackers drain 116,500 rsETH ($292M) from Kelp DAO, loop it through Aave V3 for $266M in ETH, and wipe $6B in Aave TVL in 24 hours. No Solidity bug. One config parameter broke DeFi.

Aron Turner·Apr 20, 2026

4m

case-studies

The Delve Scandal: How a $300M Compliance Startup Sold Fake SOC 2 Reports and Got Expelled from YC

YC expelled Delve after an investigation revealed 493 of 494 SOC 2 reports were identical boilerplate. Here's the full breakdown of the $300M compliance fraud.

Alex Rybalko·Apr 9, 2026

3m

exploits

Drift Protocol's $270M Exploit: How Solana's Durable Nonces Became a Social Engineering Weapon

An attacker drained $270M from Drift Protocol by abusing Solana's durable nonce feature to pre-sign malicious multisig transactions weeks before execution.

Aron Turner·Apr 3, 2026

3m

industry

How to Choose a Smart Contract Audit Firm Without Getting Burned

A framework for evaluating audit firms based on methodology, track record, and specialization, not marketing. What to look for, what to avoid, and the questions most teams forget to ask.

Kolin Cunningham·Mar 20, 2026

3m

technical

Smart Contract Audit Checklist: What to Prepare Before Your Engagement

The preparation checklist that separates smooth audit engagements from costly delays. What your team needs to have ready before auditors touch your code.

Dmitry Serdyuk·Mar 20, 2026

3m

industry

What Does a Smart Contract Audit Actually Cost in 2026

Real audit pricing data from 2026. What affects cost, what you should expect to pay, and how to evaluate whether an audit is worth the investment for your protocol.

Aron Turner·Mar 20, 2026

3m

research

Claude Code Security vs Codex Security: What Each AI Vulnerability Scanner Actually Delivers

Anthropic and OpenAI both shipped AI-powered vulnerability scanners in early 2026. We break down what each tool actually does, where they fall short, and why neither one replaces a smart contract audit.

Dmitry Serdyuk·Mar 18, 2026

4m

exploits

Aave's $27M Liquidation Incident: How a Stale Oracle Parameter Wiped Out 34 Users

A desynchronized oracle parameter caused Aave to undervalue wstETH by 2.85%, triggering $27M in wrongful liquidations across 34 users. Full technical breakdown.

Aron Turner·Mar 12, 2026

3m

industry

What to Expect From a Smart Contract Audit Report

What a professional audit report actually contains, how findings are classified, and how to use the report to ship secure code, not just check a compliance box.

Aron Turner·Mar 10, 2026

3m

research

AI's Growing Role in Auditing and Cybersecurity

With smart contract deployments hitting a record 8.7M per quarter, manual review can't keep up. Discover why AI-assisted auditing is the only realistic way to close the Web3 security gap.

Aron Turner·Mar 2, 2026

3m

research

The Human Factor: Why Web3's Biggest Threat in 2026 Isn't Bad Code — It's People

In 2025, social engineering drove 55% ($1.39B) of crypto losses. As attackers pivot from smart contracts to phishing, learn why true Web3 security requires more than just code audits.

Kolin Cunningham·Feb 26, 2026

3m

research

What $10.77 Billion in Hacks Reveals About Audit Effectiveness

Analysis of 100 largest protocol hacks totaling $10.77B. Only 20% were audited, but the ones that were share a pattern. Firm comparison, verified exploit data, pricing, and evaluation criteria.

Alex Rybalko·Feb 25, 2026

3m